<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<!-- GenHTML revision 25226-->
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<title>Security Mechanisms - The Java EE 6 Tutorial</title>
<meta name="robots" content="index,follow">
<meta name="robots" content="index,follow">
<meta name="date" content="2011-03-01">
<link rel="stylesheet" type="text/css" href="css/default.css">
<link rel="stylesheet" type="text/css" href="css/ipg.css">
<link rel="stylesheet" type="text/css" href="css/javaeetutorial.css">
</head>

<body>

<table border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody>
   <tr valign="top">
      <td width="400px"><p class="toc level1"><a href="docinfo.html">Document Information</a></p>
<p class="toc level1 tocsp"><a href="gexaf.html">Preface</a></p>
<p class="toc level1 tocsp"><a href="gfirp.html">Part&nbsp;I&nbsp;Introduction</a></p>
<p class="toc level2"><a href="bnaaw.html">1.&nbsp;&nbsp;Overview</a></p>
<p class="toc level2"><a href="gfiud.html">2.&nbsp;&nbsp;Using the Tutorial Examples</a></p>
<p class="toc level1 tocsp"><a href="bnadp.html">Part&nbsp;II&nbsp;The Web Tier</a></p>
<p class="toc level2"><a href="bnadr.html">3.&nbsp;&nbsp;Getting Started with Web Applications</a></p>
<p class="toc level2"><a href="bnaph.html">4.&nbsp;&nbsp;JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="giepx.html">5.&nbsp;&nbsp;Introduction to Facelets</a></p>
<p class="toc level2"><a href="gjddd.html">6.&nbsp;&nbsp;Expression Language</a></p>
<p class="toc level2"><a href="bnaqz.html">7.&nbsp;&nbsp;Using JavaServer Faces Technology in Web Pages</a></p>
<p class="toc level2"><a href="gjcut.html">8.&nbsp;&nbsp;Using Converters, Listeners, and Validators</a></p>
<p class="toc level2"><a href="bnatx.html">9.&nbsp;&nbsp;Developing with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkmaa.html">10.&nbsp;&nbsp;JavaServer Faces Technology Advanced Concepts</a></p>
<p class="toc level2"><a href="bnawo.html">11.&nbsp;&nbsp;Configuring JavaServer Faces Applications</a></p>
<p class="toc level2"><a href="gkiow.html">12.&nbsp;&nbsp;Using Ajax with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkhxa.html">13.&nbsp;&nbsp;Advanced Composite Components</a></p>
<p class="toc level2"><a href="bnavg.html">14.&nbsp;&nbsp;Creating Custom UI Components</a></p>
<p class="toc level2"><a href="bnafd.html">15.&nbsp;&nbsp;Java Servlet Technology</a></p>
<p class="toc level2"><a href="bnaxu.html">16.&nbsp;&nbsp;Internationalizing and Localizing Web Applications</a></p>
<p class="toc level1 tocsp"><a href="bnayk.html">Part&nbsp;III&nbsp;Web Services</a></p>
<p class="toc level2"><a href="gijti.html">17.&nbsp;&nbsp;Introduction to Web Services</a></p>
<p class="toc level2"><a href="bnayl.html">18.&nbsp;&nbsp;Building Web Services with JAX-WS</a></p>
<p class="toc level2"><a href="giepu.html">19.&nbsp;&nbsp;Building RESTful Web Services with JAX-RS</a></p>
<p class="toc level2"><a href="gjjxe.html">20.&nbsp;&nbsp;Advanced JAX-RS Features</a></p>
<p class="toc level2"><a href="gkojl.html">21.&nbsp;&nbsp;Running the Advanced JAX-RS Example Application</a></p>
<p class="toc level1 tocsp"><a href="bnblr.html">Part&nbsp;IV&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijsz.html">22.&nbsp;&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijre.html">23.&nbsp;&nbsp;Getting Started with Enterprise Beans</a></p>
<p class="toc level2"><a href="gijrb.html">24.&nbsp;&nbsp;Running the Enterprise Bean Examples</a></p>
<p class="toc level2"><a href="bnbpk.html">25.&nbsp;&nbsp;A Message-Driven Bean Example</a></p>
<p class="toc level2"><a href="gkcqz.html">26.&nbsp;&nbsp;Using the Embedded Enterprise Bean Container</a></p>
<p class="toc level2"><a href="gkidz.html">27.&nbsp;&nbsp;Using Asynchronous Method Invocation in Session Beans</a></p>
<p class="toc level1 tocsp"><a href="gjbnr.html">Part&nbsp;V&nbsp;Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="giwhb.html">28.&nbsp;&nbsp;Introduction to Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="gjbls.html">29.&nbsp;&nbsp;Running the Basic Contexts and Dependency Injection Examples</a></p>
<p class="toc level2"><a href="gjehi.html">30.&nbsp;&nbsp;Contexts and Dependency Injection for the Java EE Platform: Advanced Topics</a></p>
<p class="toc level2"><a href="gkhre.html">31.&nbsp;&nbsp;Running the Advanced Contexts and Dependency Injection Examples</a></p>
<p class="toc level1 tocsp"><a href="bnbpy.html">Part&nbsp;VI&nbsp;Persistence</a></p>
<p class="toc level2"><a href="bnbpz.html">32.&nbsp;&nbsp;Introduction to the Java Persistence API</a></p>
<p class="toc level2"><a href="gijst.html">33.&nbsp;&nbsp;Running the Persistence Examples</a></p>
<p class="toc level2"><a href="bnbtg.html">34.&nbsp;&nbsp;The Java Persistence Query Language</a></p>
<p class="toc level2"><a href="gjitv.html">35.&nbsp;&nbsp;Using the Criteria API to Create Queries</a></p>
<p class="toc level2"><a href="gkjiq.html">36.&nbsp;&nbsp;Creating and Using String-Based Criteria Queries</a></p>
<p class="toc level2"><a href="gkjjf.html">37.&nbsp;&nbsp;Controlling Concurrent Access to Entity Data with Locking</a></p>
<p class="toc level2"><a href="gkjia.html">38.&nbsp;&nbsp;Improving the Performance of Java Persistence API Applications By Setting a Second-Level Cache</a></p>
<p class="toc level1 tocsp"><a href="gijrp.html">Part&nbsp;VII&nbsp;Security</a></p>
<p class="toc level2"><a href="bnbwj.html">39.&nbsp;&nbsp;Introduction to Security in the Java EE Platform</a></p>
<p class="toc level3"><a href="bnbwk.html">Overview of Java EE Security</a></p>
<p class="toc level4"><a href="bnbwk.html#bnbwl">A Simple Application Security Walkthrough</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwm">Step 1: Initial Request</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwo">Step 2: Initial Authentication</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwq">Step 3: URL Authorization</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbws">Step 4: Fulfilling the Original Request</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwu">Step 5: Invoking Enterprise Bean Business Methods</a></p>
<p class="toc level4 tocsp"><a href="bnbwk.html#bnbww">Features of a Security Mechanism</a></p>
<p class="toc level4"><a href="bnbwk.html#bnbwx">Characteristics of Application Security</a></p>
<div id="scrolltoc" class="onpage">
<p class="toc level3 tocsp"><a href="">Security Mechanisms</a></p>
<p class="toc level4"><a href="#bnbwz">Java SE Security Mechanisms</a></p>
<p class="toc level4"><a href="#bnbxa">Java EE Security Mechanisms</a></p>
<p class="toc level5"><a href="#bnbxb">Application-Layer Security</a></p>
<p class="toc level5"><a href="#bnbxc">Transport-Layer Security</a></p>
<p class="toc level5"><a href="#bnbxd">Message-Layer Security</a></p>
</div>
<p class="toc level3 tocsp"><a href="bnbxe.html">Securing Containers</a></p>
<p class="toc level4"><a href="bnbxe.html#bnbxg">Using Annotations to Specify Security Information</a></p>
<p class="toc level4"><a href="bnbxe.html#bnbxf">Using Deployment Descriptors for Declarative Security</a></p>
<p class="toc level4"><a href="bnbxe.html#bnbxh">Using Programmatic Security</a></p>
<p class="toc level3 tocsp"><a href="bnbxi.html">Securing the GlassFish Server</a></p>
<p class="toc level3"><a href="bnbxj.html">Working with Realms, Users, Groups, and Roles</a></p>
<p class="toc level4"><a href="bnbxj.html#bnbxk">What Are Realms, Users, Groups, and Roles?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxm">What Is a Realm?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxn">What Is a User?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxo">What Is a Group?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxp">What Is a Role?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxq">Some Other Terminology</a></p>
<p class="toc level4 tocsp"><a href="bnbxj.html#bnbxr">Managing Users and Groups on the GlassFish Server</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxs">To Add Users to the GlassFish Server</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxt">Adding Users to the Certificate Realm</a></p>
<p class="toc level4 tocsp"><a href="bnbxj.html#bnbxu">Setting Up Security Roles</a></p>
<p class="toc level4"><a href="bnbxj.html#bnbxv">Mapping Roles to Users and Groups</a></p>
<p class="toc level3 tocsp"><a href="bnbxw.html">Establishing a Secure Connection Using SSL</a></p>
<p class="toc level4"><a href="bnbxw.html#bnbxx">Verifying and Configuring SSL Support</a></p>
<p class="toc level4"><a href="bnbxw.html#bnbyb">Working with Digital Certificates</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbyc">Creating a Server Certificate</a></p>
<p class="toc level3 tocsp"><a href="bnbyj.html">Further Information about Security</a></p>
<p class="toc level2 tocsp"><a href="bncas.html">40.&nbsp;&nbsp;Getting Started Securing Web Applications</a></p>
<p class="toc level2"><a href="bnbyk.html">41.&nbsp;&nbsp;Getting Started Securing Enterprise Applications</a></p>
<p class="toc level1 tocsp"><a href="gijue.html">Part&nbsp;VIII&nbsp;Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="gijto.html">42.&nbsp;&nbsp;Introduction to Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="bncih.html">43.&nbsp;&nbsp;Transactions</a></p>
<p class="toc level2"><a href="bncjh.html">44.&nbsp;&nbsp;Resource Connections</a></p>
<p class="toc level2"><a href="bncdq.html">45.&nbsp;&nbsp;Java Message Service Concepts</a></p>
<p class="toc level2"><a href="bncgv.html">46.&nbsp;&nbsp;Java Message Service Examples</a></p>
<p class="toc level2"><a href="gkahp.html">47.&nbsp;&nbsp;Advanced Bean Validation Concepts and Examples</a></p>
<p class="toc level2"><a href="gkeed.html">48.&nbsp;&nbsp;Using Java EE Interceptors</a></p>
<p class="toc level1 tocsp"><a href="gkgjw.html">Part&nbsp;IX&nbsp;Case Studies</a></p>
<p class="toc level2"><a href="gkaee.html">49.&nbsp;&nbsp;Duke's Tutoring Case Study Example</a></p>
<p class="toc level1 tocsp"><a href="idx-1.html">Index</a></p>
</td>
      <td width="10px">&nbsp;</td>
      <td>
         <div class="header">
             <div class="banner">
                <table width="100%" border="0" cellpadding="5" cellspacing="0">
                   <tbody>
                      <tr>
                         <td valign="bottom"><p class="Banner">The Java EE 6 Tutorial
</p></td>
                         <td align="right"  valign="bottom"><img src="graphics/javalogo.png" alt="Java Coffee Cup logo"></td>
                      </tr>
                   </tbody>
                </table>
             </div>

             <div class="header-links">
	         <a href="./index.html">Home</a> | 
<a href="../information/download.html">Download</a> | 
<a href="./javaeetutorial6.pdf">PDF</a> | 
<a href="../information/faq.html">FAQ</a> | 
<a href="http://download.oracle.com/javaee/feedback.htm">Feedback</a>

             </div>
             <div class="navigation">
                 <a href="bnbwk.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
                 <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
                 <a href="bnbxe.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
             </div>
         </div>

	 <div class="maincontent">      	 
             

<a name="bnbwy"></a><h2>Security Mechanisms</h2>
<a name="indexterm-1910"></a><p>The characteristics of an application should be considered when deciding the layer and
type of security to be provided for applications. The following sections discuss the
characteristics of the common mechanisms that can be used to secure Java EE
applications. Each of these mechanisms can be used individually or with others to
provide protection layers based on the specific needs of your implementation.</p>



<a name="bnbwz"></a><h3>Java SE Security Mechanisms</h3>
<a name="indexterm-1911"></a><p>Java SE provides support for a variety of security features and mechanisms:</p>


<ul><li><p><a name="indexterm-1912"></a><a name="indexterm-1913"></a><b>Java Authentication and Authorization Service (JAAS)</b>: JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS provides a pluggable and extensible framework for programmatic user authentication and authorization. JAAS is a core Java SE API and is an underlying technology for Java EE security mechanisms.</p>

</li>
<li><p><a name="indexterm-1914"></a><a name="indexterm-1915"></a><a name="indexterm-1916"></a><b>Java Generic Security Services (Java GSS-API)</b>: Java GSS-API is a token-based API used to securely exchange messages between communicating applications. The GSS-API offers application programmers uniform access to security services atop a variety of underlying security mechanisms, including Kerberos.</p>

</li>
<li><p><a name="indexterm-1917"></a><a name="indexterm-1918"></a><b>Java Cryptography Extension (JCE)</b>: JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. Block ciphers operate on groups of bytes; stream ciphers operate on one byte at a time. The software also supports secure streams and sealed objects.</p>

</li>
<li><p><a name="indexterm-1919"></a><a name="indexterm-1920"></a><b>Java Secure Sockets Extension (JSSE)</b>: JSSE provides a framework and an implementation for a Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications.</p>

</li>
<li><p><a name="indexterm-1921"></a><a name="indexterm-1922"></a><b>Simple Authentication and Security Layer (SASL)</b>: SASL is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged but does not itself specify the contents of that data. SASL is a framework into which specific authentication mechanisms that specify the contents and semantics of the authentication data can fit.</p>

</li></ul>
<p><a name="indexterm-1923"></a><a name="indexterm-1924"></a><a name="indexterm-1925"></a><a name="indexterm-1926"></a><a name="indexterm-1927"></a>Java SE also provides a set of tools for managing keystores, certificates, and
policy files; generating and verifying JAR signatures; and obtaining, listing, and managing Kerberos
tickets.</p>

<p>For more information on Java SE security, visit <a href="http://download.oracle.com/javase/6/docs/technotes/guides/security/">http://download.oracle.com/javase/6/docs/technotes/guides/security/</a>.</p>



<a name="bnbxa"></a><h3>Java EE Security Mechanisms</h3>
<a name="indexterm-1928"></a><p>Java EE security services are provided by the component container and can be
implemented by using declarative or programmatic techniques (see <a href="bnbxe.html">Securing Containers</a>). Java EE security
services provide a robust and easily configured security mechanism for authenticating users and authorizing
access to application functions and associated data at many different layers. Java EE
security services are separate from the security mechanisms of the operating system.</p>



<a name="bnbxb"></a><h4>Application-Layer Security</h4>
<a name="indexterm-1929"></a><a name="indexterm-1930"></a><p>In Java EE, component containers are responsible for providing application-layer security, security services
for a specific application type tailored to the needs of the application. At
the application layer, application firewalls can be used to enhance application protection by
protecting the communication stream and all associated application resources from attacks.</p>

<p>Java EE security is easy to implement and configure and can offer
fine-grained access control to application functions and data. However, as is inherent to security
applied at the application layer, security properties are not transferable to applications running
in other environments and protect data only while it is residing in the
application environment. In the context of a traditional enterprise application, this is not
necessarily a problem, but when applied to a web services application, in which
data often travels across several intermediaries, you would need to use the Java
EE security mechanisms along with transport-layer security and message-layer security for a complete security
solution.</p>

<p>The advantages of using application-layer security include the following.</p>


<ul><li><p>Security is uniquely suited to the needs of the application.</p>

</li>
<li><p>Security is fine grained, with application-specific settings.</p>

</li></ul>
<p>The disadvantages of using application-layer security include the following.</p>


<ul><li><p>The application is dependent on security attributes that are not transferable between application types.</p>

</li>
<li><p>Support for multiple protocols makes this type of security vulnerable. </p>

</li>
<li><p>Data is close to or contained within the point of vulnerability.</p>

</li></ul>
<p>For more information on providing security at the application layer, see <a href="bnbxe.html">Securing Containers</a>.</p>



<a name="bnbxc"></a><h4>Transport-Layer Security</h4>
<a name="indexterm-1931"></a><a name="indexterm-1932"></a><p><a name="indexterm-1933"></a><a name="indexterm-1934"></a>Transport-layer security is provided by the transport mechanisms used to transmit information over
the wire between clients and providers; thus, transport-layer security relies on secure HTTP
transport (HTTPS) using Secure Sockets Layer (SSL). Transport security is a point-to-point security mechanism
that can be used for authentication, message integrity, and confidentiality. When running over
an SSL-protected session, the server and client can authenticate each other and negotiate
an encryption algorithm and cryptographic keys before the application protocol transmits or receives
its first byte of data. Security is active from the time the data
leaves the client until it arrives at its destination, or vice versa, even
across intermediaries. The problem is that the data is not protected once it
gets to the destination. One solution is to encrypt the message before sending.</p>

<p>Transport-layer security is performed in a series of phases, as follows.</p>


<ul><li><p>The client and server agree on an appropriate algorithm.</p>

</li>
<li><p>A key is exchanged using public-key encryption and certificate-based authentication.</p>

</li>
<li><p>A symmetric cipher is used during the information exchange.</p>

</li></ul>
<p><a name="indexterm-1935"></a>Digital certificates are necessary when running HTTPS using SSL. The HTTPS service of
most web servers will not run unless a digital certificate has been installed.
Digital certificates have already been created for the GlassFish Server.</p>

<p>The advantages of using transport-layer security include the following.</p>


<ul><li><p>It is relatively simple, well-understood, standard technology.</p>

</li>
<li><p>It applies to both a message body and its attachments.</p>

</li></ul>
<p>The disadvantages of using transport-layer security include the following.</p>


<ul><li><p>It is tightly coupled with the transport-layer protocol.</p>

</li>
<li><p>It represents an all-or-nothing approach to security. This implies that the security mechanism is unaware of message contents, so that you cannot selectively apply security to portions of the message as you can with message-layer security.</p>

</li>
<li><p>Protection is transient. The message is protected only while in transit. Protection is removed automatically by the endpoint when it receives the message.</p>

</li>
<li><p>It is not an end-to-end solution, simply point-to-point.</p>

</li></ul>
<p>For more information on transport-layer security, see <a href="bnbxw.html">Establishing a Secure Connection Using SSL</a>.</p>



<a name="bnbxd"></a><h4>Message-Layer Security</h4>
<a name="indexterm-1936"></a><a name="indexterm-1937"></a><a name="indexterm-1938"></a><a name="indexterm-1939"></a><a name="indexterm-1940"></a><p>In message-layer security, security information is contained within the SOAP message and/or SOAP
message attachment, which allows security information to travel along with the message or
attachment. For example, a portion of the message may be signed by a
sender and encrypted for a particular receiver. When sent from the initial sender,
the message may pass through intermediate nodes before reaching its intended receiver. In
this scenario, the encrypted portions continue to be opaque to any intermediate nodes
and can be decrypted only by the intended receiver. For this reason, message-layer
security is also sometimes referred to as end-to-end security.</p>

<p>The advantages of message-layer security include the following.</p>


<ul><li><p>Security stays with the message over all hops and after the message arrives at its destination.</p>

</li>
<li><p>Security can be selectively applied to different portions of a message and, if using XML Web Services Security, to attachments.</p>

</li>
<li><p>Message security can be used with intermediaries over multiple hops.</p>

</li>
<li><p>Message security is independent of the application environment or transport protocol.</p>

</li></ul>
<p>The disadvantage of using message-layer security is that it is relatively complex and
adds some overhead to processing.</p>

<p>The GlassFish Server supports message security using Metro, a web services stack that
uses Web Services Security (WSS) to secure messages. Because this message security is
specific to Metro and is not a part of the Java EE
platform, this tutorial does not discuss using WSS to secure messages. See the
<i>Metro User&rsquo;s Guide</i> at <a href="http://metro.java.net/guide/">http://metro.java.net/guide/</a>.</p>


         </div>
         <div class="navigation">
             <a href="bnbwk.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
             <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
             <a href="bnbxe.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
         </div>

         <div class="copyright">
      	    <p>Copyright &copy; 2011, Oracle and/or its affiliates. All rights reserved. <a href="docinfo.html">Legal Notices</a></p>
      	 </div>

      </td>
   </tr>
</tbody>
</table>
</body>
</html>

